Does not work with systemd-homed

[Thesola10]

What went wrong?
systemd-homed is a software solution for Linux user accounts that accepts FIDO2 tokens as an alternative for the user password, essentially providing a Chromebook- or macOS-esque "Log in with watch" feature if combined with WearAuthn.

And that's where the issue occurs: systemd-homed fails to register my watch as a login token.

Steps to reproduce

1. Pair watch with Linux computer running systemd-homed
2. Run homectl update --fido2-device=/dev/hidraw2 to register the watch as a login token (exact hidraw path may vary)
3. The watch displays a confirmation for io.systemd.home ("Home Directory"), accept it.
4. systemd-homed then errors out with the following error:

Initializing FIDO2 credential on security token.
👆 (Hint: This might require confirmation of user presence on security token.)
-- (this is where the first confirmation succeeds)
Generating secret key on FIDO2 security token.
Failed to ask token for assertion: FIDO_ERR_INTERNAL
-- (nothing shows up on the watch)

WebAuthn works perfectly through Firefox, through Flatpak, so it can't possibly be a permissions issue.

On a USB Yubikey, the correct behavior is that the key asks for presence twice. On WearAuthn, the second confirmation never happens.

Which model is your watch?
Fossil Q Explorist Gen 4

Which Android version is running on your watch?
Wear OS 2.34

Which version of WearAuthn are you using?
0.9.17 (Google Play)

I don't know how useful it is, but the app version also mentions "Credentials storage: Hardware".

[Thesola10]

Here is a Logcat dump, with the app set to "Debug" logging:

https://gist.github.com/Thesola10/98146c3db20051ffacf07598ea84202f

[Thesola10]

Documentation for systemd-homed states that the hmac-secret extension is required. Maybe that's the issue?

[fmeum]

Yep, that's the issue. Since hmac-secret is required for any kind of offline login features and these are becoming more and more popular, it would be a great feature to add. I'm a bit constrained on time atm and would definitely welcome and support contributions.

[Thesola10]

Your comment in #5 mentions that hmac-secret is supported, what does that mean exactly?

[fmeum]

It is implemented according to my understanding of the spec back at the time, but I remember the spec being unclear about some things (see

WearAuthn/authenticator/src/main/java/me/henneke/wearauthn/fido/ctap2/Authenticator.kt

Line 354 in 35b2e91

// hmac-secret requires user presence, but the spec is not clear on whether this has to be

). Also, since there wasn't any application to test the feature with, it may be broken.

[Thesola10]

Given the --fido2-with-user-presence=false flag on homectl, it appears that a hmac-secret client might be able to not require user presence?

[Thesola10]

Browsing through the logcat, weirdly enough, there's never an error or warning on the watch side of things, not even a claim of a "malformed message".

Pausing the authentication process before the second step yields an interesting behavior: WearAuthn logs absolutely nothing. The issue might be on systemd's side.

PS: The WearAuthn watch does not show up when I do homectl update --fido2-device=list, whereas my Yubikey does. That command should list all hidraw devices recognized by libfido2, so the issue might be on libfido2's side?

[Thesola10]

Managed to get libfido2 logging info by patching homectl:

https://gist.github.com/Thesola10/4639fdb4d5d82e8d0fc1251aacb81219

[Thesola10]

any update?